- /login by email & password
- /register by email & password
- /passwords/forgot
- /passwords/reset
- /oauth/fb
2FA, if user logs in with a new device with a new device ids OR new IP we need to send them a otp via email to validate.
Consider using Kong for authentication layer. We don't write our own crypto, so why should we write our own auth?
Q: Why separate Local.js (Local Login Credentals) and User.js? Similarly, we seem to have 'Facebook.js' and 'Google.js' models to capture oauth return callback parameters.
A: keep user information separate: authentication, billing, and identity information should all be in separate services with separate databases.
Q: Is there a reason why we're not using Passport.js for authentication?